Vulnerabilities > Cubecart > Cubecart
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2015-09-28 | CVE-2015-6928 | Improper Access Control vulnerability in Cubecart classes/admin.class.php in CubeCart 5.2.12 through 5.2.16 and 6.x before 6.0.7 does not properly validate that a password reset request was made, which allows remote attackers to change the administrator password via a recovery request with a space character in the validate parameter and the administrator email in the email parameter. | 6.8 |
| 2014-04-22 | CVE-2014-2341 | Improper Authentication vulnerability in Cubecart Session fixation vulnerability in CubeCart before 5.2.9 allows remote attackers to hijack web sessions via the PHPSESSID parameter. | 6.8 |
| 2013-02-08 | CVE-2013-1465 | Deserialization of Untrusted Data vulnerability in Cubecart The Cubecart::_basket method in classes/cubecart.class.php in CubeCart 5.0.0 through 5.2.0 allows remote attackers to unserialize arbitrary PHP objects via a crafted shipping parameter, as demonstrated by modifying the application configuration using the Config object. | 9.8 |
| 2012-02-21 | CVE-2012-0865 | Improper Input Validation vulnerability in Cubecart Multiple open redirect vulnerabilities in CubeCart 3.0.20 and earlier allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) r parameter to switch.php or (2) goto parameter to admin/login.php. | 5.8 |
| 2011-10-08 | CVE-2010-4903 | SQL Injection vulnerability in Cubecart 4.3.3 SQL injection vulnerability in index.php in CubeCart 4.3.3 allows remote attackers to execute arbitrary SQL commands via the searchStr parameter. | 7.5 |
| 2011-09-23 | CVE-2011-3724 | Information Exposure vulnerability in Cubecart 4.4.3 CubeCart 4.4.3 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by modules/shipping/USPS/calc.php and certain other files. | 5.0 |
| 2010-06-10 | CVE-2010-1931 | SQL Injection vulnerability in Cubecart SQL injection vulnerability in includes/content/cart.inc.php in CubeCart PHP Shopping cart 4.3.4 through 4.3.9 allows remote attackers to execute arbitrary SQL commands via the shipKey parameter to index.php. | 7.5 |
| 2009-11-24 | CVE-2009-4060 | SQL Injection vulnerability in Cubecart SQL injection vulnerability in includes/content/viewProd.inc.php in CubeCart before 4.3.7 remote attackers to execute arbitrary SQL commands via the productId parameter. | 7.5 |
| 2009-11-06 | CVE-2009-3904 | Permissions, Privileges, and Access Controls vulnerability in Cubecart 4.3.4 classes/session/cc_admin_session.php in CubeCart 4.3.4 does not properly restrict administrative access permissions, which allows remote attackers to bypass restrictions and gain administrative access via a HTTP request that contains an empty (1) sessID (ccAdmin cookie), (2) X_CLUSTER_CLIENT_IP header, or (3) User-Agent header. | 7.5 |
| 2008-03-31 | CVE-2008-1550 | Cross-Site Scripting vulnerability in Cubecart 4.2.1 Multiple cross-site scripting (XSS) vulnerabilities in index.php in CubeCart 4.2.1 allow remote attackers to inject arbitrary web script or HTML via (1) the _a parameter in a searchStr action and the (2) Submit parameter. | 4.3 |